←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 2 comments | 20 Oct 23 20:31 UTC | HN request time: 0s | source
Show context
mike_d ◴[20 Oct 23 23:34 UTC] No.37962674[source]
Great callout:

> Don't use Cloudflare or similar services. See my article here for an explanation on why. If you use a service like this, you're basically already MitMing yourself.

I wish more people would realize that when arguing on the internet about CAA, DNSSEC, NSA, etc. that none of it really matters. We willingly allow a government aligned entity to unwrap 20% of all TLS connections on the internet and peak inside.

replies(3): >>37962900 #>>37963174 #>>37964536 #
1. computerfriend ◴[21 Oct 23 06:20 UTC] No.37964536[source]
There are lots of reasons to not use Cloudflare, but many of those given in the article don't hold up. For example, Cloudflare does not set a cookie for all connections, discrimination against Tor users, CAPTCHAs and WAFs are all configurable.
replies(1): >>37974435 #
2. immibis ◴[22 Oct 23 11:23 UTC] No.37974435[source]
Cloudflare encourages all these bad things by making them simple checkboxes and insinuating that if you care about security you'll check the checkbox.